Michał Bentkowski

List of blog posts

RSS

• Chromium: Same Origin Policy bypass within a single site a.k.a. "Google Roulette" (16 November 2022)
• Another XSS in Google Colaboratory (20 September 2018)
• Vulnerability in Hangouts Chat: from open redirect to code execution (23 July 2018)
• XSS in Google Colaboratory + CSP bypass (21 June 2018)
• Setting arbitrary request headers in Chromium via CRLF injection (20 June 2018)
• Yet Another Google Caja bypasses hat-trick (30 November 2017)
• Firefox - Same-Origin Policy bypass (CVE-2015-7188) (05 July 2016)
• XSS-es in Google Caja (03 July 2016)
• XSS via file upload - www.google.com (Postini Header Analyzer) (12 May 2015)
• XSS via window.stop() - Google Safen Up (01 May 2015)
• XSS via Host header - www.google.com/cse (22 April 2015)
• So Google sent me a package... (25 January 2015)
• Facebook and two dots leak (15 September 2014)
• Google Doodle - XSS (actually response splitting) (17 July 2014)
• Gmail and Google+ - tale of two XSS-es (14 June 2014)
• Easter eggs in Google Bug Bounty (26 April 2014)
• Google Code Playground - Path Traversal (07 April 2014)
• Getting started (30 March 2014)